Re: NSS_Initialize failed. NSS with apache 2.2.10 (mod_nss 1.0.8)
Ok, I am sorry. It was just a small mistake. The gencert script did not change the access rights of the databases. After chmod everything works fine. Stefan Kirchner/Germany/ [EMAIL PROTECTED] To Sent by: dev-tech-crypto@lists.mozilla.org dev-tech-crypto-b cc ounces +stefankirchner=d Subject [EMAIL PROTECTED] NSS_Initialize failed. NSS with ozilla.orgapache 2.2.10 (mod_nss 1.0.8) 02.12.2008 11:11 Please respond to "mozilla's crypto code discussion list" Hello NSS community, I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on RHEL 5.2). I want to use SSL over NSS and I always get following error messages while starting the webserver: [Tue Dec 02 11:02:02 2008] [info] Configuring server for SSL protocol [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(594): Enabling SSL3 [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(599): Enabling TLS [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(770): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Dec 02 11:02:02 2008] [info] Using nickname Server-Cert. [Tue Dec 02 11:02:02 2008] [notice] Apache/2.2.10 (Unix) mod_nss/2.2.10 NSS/3.12.0.3 configured -- resuming normal operations [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED What I did: - Compiled and installed NSS and httpd (both successfully tested) - Compiled and installed mod_nss - I ran the gencert script to create the NSS databases and the certificates (it uses certutil) -> the certificates are validated (with certutil -V -u V) - httpd.conf (changes): -> Set LogLevel debug): -> Added Include conf/nss.conf -nss.conf (changes): -> Set LogLevel debug -> Set correct path to the database -> Added NSSEnforceValidCerts off (NSSNickname Server-Cert as it is created by the gencert script of mod_nss) # ./modutil -dbdir /usr/local/apache2/nss/ -list Listing of PKCS #11 Modules --- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB --- # ./certutil -d /usr/local/apache2/nss/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert CTu,Cu,Cu Server-Cert
Re: Creating a Global User-level CA/Trust Infrastructurefor SecureMessaging
>Hmm, Anders, apologies in advance for the RTFM question, but can you >please summarise those two docs, or explain the essential points in more >detail? That's the problem in a nutshell; there is no "FM"! The answer I'm looking for (but know is unavailable) is how to apply client/employee PKI to the scheme on p2 of: http://webpki.org/papers/web/A.R.AppliedPKI-Lesson-1.pdf I have even tried to get academia interested. The answer is always: "we don't do applications". Another example is NIST's b2b testbed that does not even mention the word security: http://www.mel.nist.gov/msid/b2btestbed Anyway, using a bank-like transaction backbone, you can create secure networks using very simple means, without having to implement PKI on the desktop. The latter then becomes a separate mission. Anders - Original Message - From: "Ian G" <[EMAIL PROTECTED]> To: "mozilla's crypto code discussion list" Sent: Sunday, November 30, 2008 02:19 Subject: Re: Creating a Global User-level CA/Trust Infrastructurefor SecureMessaging Anders Rundgren wrote: > Nelson B Bolyard wrote: > >> I have contacts in the former Soviet Union who claim that Russian banks >> now routinely require PKI hardware for authentication as a condition of >> online banking. > >> How sad that I live is a nation that is such a technological back-water. :) > > It sure is. The US is about the only major IT-nation where the government > haven't even the slightest embryo to an architecture for secure messaging > between agencies, not to mention between agencies and the private sector. > So far they have managed keeping this a secret, since nobody has been able > to decipher what the gazillion of "CIO-documents" littered with government > buzz-words like FISSMA actually means for an architect. > > Fortunately, most EU governments have (with the German-speaking regions > as the notable exception...), begun to build on architectures based on a > paradigm that banks established 3-4 decades before them: > http://webpki.org/papers/web/gateway.pdf > > Another strong reason for that is briefly described in this document: > http://webpki.org/papers/web/A.R.AppliedPKI-Lesson-1.pdf > It is fascinating meeting the consultants that the US government use, > who all claim that this is nonsense; FIPS201/PIV can do it all! > But since there is no bluprint supporting that position, progress > remains firmly stuck at zero. Hmm, Anders, apologies in advance for the RTFM question, but can you please summarise those two docs, or explain the essential points in more detail? iang ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
NSS_Initialize failed. NSS with apache 2.2.10 (mod_nss 1.0.8)
Hello NSS community, I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on RHEL 5.2). I want to use SSL over NSS and I always get following error messages while starting the webserver: [Tue Dec 02 11:02:02 2008] [info] Configuring server for SSL protocol [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(594): Enabling SSL3 [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(599): Enabling TLS [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(770): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Dec 02 11:02:02 2008] [info] Using nickname Server-Cert. [Tue Dec 02 11:02:02 2008] [notice] Apache/2.2.10 (Unix) mod_nss/2.2.10 NSS/3.12.0.3 configured -- resuming normal operations [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED What I did: - Compiled and installed NSS and httpd (both successfully tested) - Compiled and installed mod_nss - I ran the gencert script to create the NSS databases and the certificates (it uses certutil) -> the certificates are validated (with certutil -V -u V) - httpd.conf (changes): -> Set LogLevel debug): -> Added Include conf/nss.conf -nss.conf (changes): -> Set LogLevel debug -> Set correct path to the database -> Added NSSEnforceValidCerts off (NSSNickname Server-Cert as it is created by the gencert script of mod_nss) # ./modutil -dbdir /usr/local/apache2/nss/ -list Listing of PKCS #11 Modules --- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB --- # ./certutil -d /usr/local/apache2/nss/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert CTu,Cu,Cu Server-Cert u,u,u alphau,pu,u, Can someone help me? Any ideas? Thanks in advance. Stefan Kirchner ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS_Initialize failed. NSS with apache 2.2.10 (mod_nss 1.0.8)
Stefan Kirchner wrote, On 2008-12-02 02:11: > Hello NSS community, > > I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on > RHEL 5.2). I want to use SSL over NSS > and I always get following error messages while starting the webserver: > [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate > database: /usr/local/apache2/nss. > [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 > SEC_ERROR_NOT_INITIALIZED I believe there's probably something wrong with the code that output those lines into the log file. NSS_Initialize does not set the error code SEC_ERROR_NOT_INITIALIZED. I suspect that an inspection of the code in mod_nss will show that it called NSS_Initialize, which failed, but then it did not check the error code until after it had called some other NSS function which set error code SEC_ERROR_NOT_INITIALIZED, such as NSS_Shutdown or SECOID_AddEntry. If my suspicion is correct, then that code (presumably in mod_nss) will never output a meaningful error code. That would be a problem to be fixed by the maintainers of mod_nss. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS_Initialize failed. NSS with apache 2.2.10 (mod_nss 1.0.8)
Stefan Kirchner wrote: Ok, I am sorry. It was just a small mistake. The gencert script did not change the access rights of the databases. After chmod everything works fine. Both this and the error code should probably get feed back to mod_nss. I believe you can create a bug in bugzilla.redhat.com Classification: Fedora Product: Fedora Component: mod_nss Stefan Kirchner/Germany/ [EMAIL PROTECTED] To Sent by: dev-tech-crypto@lists.mozilla.org dev-tech-crypto-b cc ounces +stefankirchner=d Subject [EMAIL PROTECTED] NSS_Initialize failed. NSS with ozilla.orgapache 2.2.10 (mod_nss 1.0.8) 02.12.2008 11:11 Please respond to "mozilla's crypto code discussion list" lists.mozilla.org > Hello NSS community, I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on RHEL 5.2). I want to use SSL over NSS and I always get following error messages while starting the webserver: [Tue Dec 02 11:02:02 2008] [info] Configuring server for SSL protocol [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(594): Enabling SSL3 [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(599): Enabling TLS [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(770): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Dec 02 11:02:02 2008] [info] Using nickname Server-Cert. [Tue Dec 02 11:02:02 2008] [notice] Apache/2.2.10 (Unix) mod_nss/2.2.10 NSS/3.12.0.3 configured -- resuming normal operations [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate database: /usr/local/apache2/nss. [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED What I did: - Compiled and installed NSS and httpd (both successfully tested) - Compiled and installed mod_nss - I ran the gencert script to create the NSS databases and the certificates (it uses certutil) -> the certificates are validated (with certutil -V -u V) - httpd.conf (changes): -> Set LogLevel debug): -> Added Include conf/nss.conf -nss.conf (changes): -> Set LogLevel debug -> Set correct path to the database -> Added NSSEnforceValidCerts off (NSSNickname Server-Cert as it is created by the gencert script of mod_nss) # ./modutil -dbdir /usr/local/apache2/nss/ -list Listing of PKCS #11 Modules --- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token:
where does certutil put a cert's private keys?
first off: i am but a humble java programmer by trade; not a sysadmin; nor a network guy. so a lot of nss tool-related stuff is a foreign language to me. please, help a certutil rookie make sense of the world? i'm experimenting with using client authn between a command-line ldapsearch client (for this experiment, the one that comes with sun's directory server resource kit v 5.2) and sun one directory server 5.1 (on solaris 9 sparc). using openssl, i created a self-signed ca cert (and keys) plus an ldap server cert (and keys) and a client cert (and keys); the client and server certs are both signed by my self-signed ca cert. certs and keys for all three (ca, server, client) are in pem format. i successfully installed the server and ca certs into the directory server; i then added the ca and client certs into $HOME/.netscape/ cert7.db using the following certutil command line: certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) after running that command, i was able to successfully view the just- added cert with: "certutil -L -n myClientCert -d $HOME/.netscape that leads me to my first question: 1. does that command implicitly add the cert's private key get into $HOME/.netscape/key3.db? 2. if not, how do i add the cert's private key to key3.db? the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ tools/certutil.html) say, "The Certificate Database Tool is a command-line utility that can...display the contents of the key database..." i've read and reread that page over and over; but i still can't figure out which command to use to make certutil "display the contents of the key database". if it's any help, i'm using the binary version of certutil that came precompiled as part of the sun one directory server resource kit 5.2 (dsrk52) on solaris 9 sparc.for what it's worth: the certs were created on my mac with openssl, then jarred and ftp'd over to the sun box. as far as wanting to view keys, i'm guessing it's actually the pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ tools/pk12util.html) instead of certutil. is that right? if so, then please can you also clear up a couple things about pk12util? the pk12util docs say, "Import a certificate and private key from from the p12file into the database." the way i read that description, it implies that both the private key and cert get imported into the same database ("into __the__ database"). am i understanding that correctly? 3. what exactly _does_ get added to key3.db? 4. how can i view what's in key3.db? if you're interested, the reason for my questions stem from the following ldapsearch error: bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W "**" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" ldapssl_enable_clientauth: Bad parameter to an ldap routine ldapssl_enable_clientauth: additional info: unable to find certificate SSL error -8174 (security library: bad database.) ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: where does certutil put a cert's private keys?
On Dec 2, 8:59 pm, "fat.fuck" <[EMAIL PROTECTED]> wrote: > first off: i am but a humble java programmer by trade; not a sysadmin; > nor a network guy. so a lot of nss tool-related stuff is a foreign > language to me. please, help a certutil rookie make sense of the > world? > > i'm experimenting with using client authn between a command-line > ldapsearch client (for this experiment, the one that comes with sun's > directory server resource kit v 5.2) and sun one directory server 5.1 > (on solaris 9 sparc). > > using openssl, i created a self-signed ca cert (and keys) plus an ldap > server cert (and keys) and a client cert (and keys); the client and > server certs are both signed by my self-signed ca cert. certs and keys > for all three (ca, server, client) are in pem format. > > i successfully installed the server and ca certs into the directory > server; i then added the ca and client certs into $HOME/.netscape/ > cert7.db using the following certutil command line: > > certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) > > after running that command, i was able to successfully view the just- > added cert with: "certutil -L -n myClientCert -d $HOME/.netscape > > that leads me to my first question: > >1. does that command implicitly add the cert's private key get into > $HOME/.netscape/key3.db? > >2. if not, how do i add the cert's private key to key3.db? > > the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ > tools/certutil.html) say, > > "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..." > > i've read and reread that page over and over; but i still can't figure > out which command to use to make certutil "display the contents of the > key database". > > if it's any help, i'm using the binary version of certutil that came > precompiled as part of the sun one directory server resource kit 5.2 > (dsrk52) on solaris 9 sparc.for what it's worth: the certs were > created on my mac with openssl, then jarred and ftp'd over to the sun > box. > > as far as wanting to view keys, i'm guessing it's actually the > pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > tools/pk12util.html) instead of certutil. is that right? if so, then > please can you also clear up a couple things about pk12util? > > the pk12util docs say, "Import a certificate and private key from from > the p12file into the database." the way i read that description, it > implies that both the private key and cert get imported into the same > database ("into __the__ database"). am i understanding that correctly? > >3. what exactly _does_ get added to key3.db? > >4. how can i view what's in key3.db? > > if you're interested, the reason for my questions stem from the > following ldapsearch error: > > bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > "**" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.) hello forum, i've answered a couple of my own questions; thanks to "http:// kb.mozillazine.org/Key3.db" "key3.db contains a key used to encrypt and decrypt saved passwords." reading the pks12util docs further, i worked out that the cert's private key must be inside cert7.db along with the cert; as this command description suggests: "-o p12file - Export certificate and private key, specified by the - n option, from the database to the p12 file." now, if anybody could help shed light on this error i'm getting using my certs and keys for 2-way ssl, please chime in: > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.) thanks in advance for your help. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: where does certutil put a cert's private keys?
I've never had to use ClientAuth with Sun's Directory Server, but here are some observations: 1) Keys are *never* stored in certN.db; they're always in keyN.db; only certificates are in certN.db. The association between the key and the cert is made via the cert's nickname (in your case: myClientCert); 2) You do not have the Private Key of your client cert in your keyN.db file, since you haven't imported it. You need to use openssl to create a P12 file with your Private Key and cert, and then use the pk12util to import the P12 to the Mozilla (Netscape) databases (the key will automatically go to keyN.db and the cert will go to certN.db); you need to get past this problem before you can do anything with ClientAuth. However, I would recommend that you get the LDAP working with SSL but *without* ClientAuth to ensure that your server-side SSL is setup correctly, first. Once you can access your directory server over SSL without ClientAuth, the next step is to add ClientAuth. Finally, if you're going to be using digital certificates, while openssl will do the job for you, since you say you know Java, you can also use keytool from the JDK to create your key, cert and P12 - all using the same command; you can then just import the P12 to the Mozilla databases. If you want to use an industrial-strength tool for your certificates, either use DogTag or EJBCA. Arshad Noor StrongAuth, Inc. fat.fuck wrote: bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W "**" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" ldapssl_enable_clientauth: Bad parameter to an ldap routine ldapssl_enable_clientauth: additional info: unable to find certificate SSL error -8174 (security library: bad database.) now, if anybody could help shed light on this error i'm getting using my certs and keys for 2-way ssl, please chime in: > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.) thanks in advance for your help. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: where does certutil put a cert's private keys?
fat.fuck wrote: On Dec 2, 8:59 pm, "fat.fuck" <[EMAIL PROTECTED]> wrote: first off: i am but a humble java programmer by trade; not a sysadmin; nor a network guy. so a lot of nss tool-related stuff is a foreign language to me. please, help a certutil rookie make sense of the world? i'm experimenting with using client authn between a command-line ldapsearch client (for this experiment, the one that comes with sun's directory server resource kit v 5.2) and sun one directory server 5.1 (on solaris 9 sparc). using openssl, i created a self-signed ca cert (and keys) plus an ldap server cert (and keys) and a client cert (and keys); the client and server certs are both signed by my self-signed ca cert. certs and keys for all three (ca, server, client) are in pem format. i successfully installed the server and ca certs into the directory server; i then added the ca and client certs into $HOME/.netscape/ cert7.db using the following certutil command line: certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) after running that command, i was able to successfully view the just- added cert with: "certutil -L -n myClientCert -d $HOME/.netscape that leads me to my first question: 1. does that command implicitly add the cert's private key get into $HOME/.netscape/key3.db? 2. if not, how do i add the cert's private key to key3.db? the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ tools/certutil.html) say, "The Certificate Database Tool is a command-line utility that can...display the contents of the key database..." i've read and reread that page over and over; but i still can't figure out which command to use to make certutil "display the contents of the key database". if it's any help, i'm using the binary version of certutil that came precompiled as part of the sun one directory server resource kit 5.2 (dsrk52) on solaris 9 sparc.for what it's worth: the certs were created on my mac with openssl, then jarred and ftp'd over to the sun box. as far as wanting to view keys, i'm guessing it's actually the pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ tools/pk12util.html) instead of certutil. is that right? if so, then please can you also clear up a couple things about pk12util? the pk12util docs say, "Import a certificate and private key from from the p12file into the database." the way i read that description, it implies that both the private key and cert get imported into the same database ("into __the__ database"). am i understanding that correctly? 3. what exactly _does_ get added to key3.db? 4. how can i view what's in key3.db? if you're interested, the reason for my questions stem from the following ldapsearch error: bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W "**" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" ldapssl_enable_clientauth: Bad parameter to an ldap routine ldapssl_enable_clientauth: additional info: unable to find certificate SSL error -8174 (security library: bad database.) hello forum, i've answered a couple of my own questions; thanks to "http:// kb.mozillazine.org/Key3.db" "key3.db contains a key used to encrypt and decrypt saved passwords." reading the pks12util docs further, i worked out that the cert's private key must be inside cert7.db along with the cert; as this command description suggests: "-o p12file - Export certificate and private key, specified by the - n option, from the database to the p12 file." No, not exactly - private keys are stored in key3.db - certs are stored in cert7.db. What version of NSS are you using anyway? cert7.db is really old - NSS switched to cert8.db a long time ago. certutil -L will show you your certs. certutil -L -n "myClientCert" will show you that particular cert I suppose you could run ldapsearch with strace or truss to see what file it cannot find or open. If this is an ldapsearch issue, you might want to follow up to mozilla.dev.tech.ldap now, if anybody could help shed light on this error i'm getting using my certs and keys for 2-way ssl, please chime in: > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.) thanks in advance for your help. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
NSS-enabled OpenSSH Linux distro
Hi, which Linux distros support NSS-enabled OpenSSH client? I know that OpenSSH client in Fedora supports it. Any other distro is planning to support NSS-based crypto consolidation vision presented in http://fedoraproject.org/wiki/FedoraCryptoConsolidation. Thanks. -- Subrata ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: where does certutil put a cert's private keys?
On Dec 2, 11:02 pm, Rich Megginson <[EMAIL PROTECTED]> wrote: > fat.fuck wrote: > > On Dec 2, 8:59 pm, "fat.fuck" <[EMAIL PROTECTED]> wrote: > >> first off: i am but a humble java programmer by trade; not a sysadmin; > >> nor a network guy. so a lot of nss tool-related stuff is a foreign > >> language to me. please, help a certutil rookie make sense of the > >> world? > > >> i'm experimenting with using client authn between a command-line > >> ldapsearch client (for this experiment, the one that comes with sun's > >> directory server resource kit v 5.2) and sun one directory server 5.1 > >> (on solaris 9 sparc). > > >> using openssl, i created a self-signed ca cert (and keys) plus an ldap > >> server cert (and keys) and a client cert (and keys); the client and > >> server certs are both signed by my self-signed ca cert. certs and keys > >> for all three (ca, server, client) are in pem format. > > >> i successfully installed the server and ca certs into the directory > >> server; i then added the ca and client certs into $HOME/.netscape/ > >> cert7.db using the following certutil command line: > > >> certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > >> -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) > > >> after running that command, i was able to successfully view the just- > >> added cert with: "certutil -L -n myClientCert -d $HOME/.netscape > > >> that leads me to my first question: > > >>1. does that command implicitly add the cert's private key get into > >> $HOME/.netscape/key3.db? > > >>2. if not, how do i add the cert's private key to key3.db? > > >> the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ > >> tools/certutil.html) say, > > >> "The Certificate Database Tool is a command-line utility that > >> can...display the contents of the key database..." > > >> i've read and reread that page over and over; but i still can't figure > >> out which command to use to make certutil "display the contents of the > >> key database". > > >> if it's any help, i'm using the binary version of certutil that came > >> precompiled as part of the sun one directory server resource kit 5.2 > >> (dsrk52) on solaris 9 sparc.for what it's worth: the certs were > >> created on my mac with openssl, then jarred and ftp'd over to the sun > >> box. > > >> as far as wanting to view keys, i'm guessing it's actually the > >> pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > >> tools/pk12util.html) instead of certutil. is that right? if so, then > >> please can you also clear up a couple things about pk12util? > > >> the pk12util docs say, "Import a certificate and private key from from > >> the p12file into the database." the way i read that description, it > >> implies that both the private key and cert get imported into the same > >> database ("into __the__ database"). am i understanding that correctly? > > >>3. what exactly _does_ get added to key3.db? > > >>4. how can i view what's in key3.db? > > >> if you're interested, the reason for my questions stem from the > >> following ldapsearch error: > > >> bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > >> bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > >> "**" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > >> ldapssl_enable_clientauth: Bad parameter to an ldap routine > >> ldapssl_enable_clientauth: additional info: unable to find certificate > >> SSL error -8174 (security library: bad database.) > > > hello forum, > > > i've answered a couple of my own questions; thanks to "http:// > > kb.mozillazine.org/Key3.db" > > >"key3.db contains a key used to encrypt and decrypt saved > > passwords." > > > reading the pks12util docs further, i worked out that the cert's > > private key must be inside cert7.db along with the cert; as this > > command description suggests: > > > "-o p12file - Export certificate and private key, specified by the - > > n option, from the database to the p12 file." > > No, not exactly - private keys are stored in key3.db - certs are stored > in cert7.db. What version of NSS are you using anyway? cert7.db is > really old - NSS switched to cert8.db a long time ago. > > certutil -L will show you your certs. > certutil -L -n "myClientCert" will show you that particular cert > > I suppose you could run ldapsearch with strace or truss to see what file > it cannot find or open. > > If this is an ldapsearch issue, you might want to follow up to > mozilla.dev.tech.ldap > > > > > now, if anybody could help shed light on this error i'm getting using > > my certs and keys for 2-way ssl, please chime in: > > > > ldapssl_enable_clientauth: Bad parameter to an ldap routine > > > ldapssl_enable_clientauth: additional info: unable to find > > certificate > > > SSL error -8174 (security library: bad database.) > > > thanks in advance for your help. thanks mr megginson, i since
Re: where does certutil put a cert's private keys?
On 12/03/2008 02:20 AM, fat.fuck: i didn't explicitlly supply the certs' private key file location to the certutil command line when i added the certs to cert7.db (although, the private key .pem files were in fact in the same directory as the .pem cert files when i ran the certutil command). This most likely means that there is no private key stored, just the public key/certificate. You'd need to provide a PKCS12 file instead which includes the private key. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: where does certutil put a cert's private keys?
On 3 Dec, 00:29, Eddy Nigg <[EMAIL PROTECTED]> wrote: > On 12/03/2008 02:20 AM, fat.fuck: > > > > > i didn't explicitlly supply the certs' private key file location to > > the certutil command line when i added the certs to cert7.db > > (although, the private key .pem files were in fact in the same > > directory as the .pem cert files when i ran the certutil command). > > This most likely means that there is no private key stored, just the > public key/certificate. You'd need to provide a PKCS12 file instead > which includes the private key. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Blog: https://blog.startcom.org thanks for your reply mr. nigg, > This most likely means that there is no private key stored, just the > public key/certificate. You'd need to provide a PKCS12 file instead > which includes the private key. > that makes sense. thanks, mr nigg. now, please, can you tell me how i can view|list the private keys in key3.db once i've ran certutil with a pkcs12 file? > "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..." what is the certutil command that the above statement from the certutil docs is referring to? mr. megginson, i can't work out what version of nss/certutil came bundled with the dsrk v 5.2 (is there a command i can run that would tell me?). all i know is i downloaded the dsrk 5.2 binaries from sun and installed it on my sun box on nov 25, 2006. so its safe to assume i'm using whichever release of nss that was current on that date; i guess. i do know that the $HOME/.netscape on my sun box is from netscape communicator 4.76. again, the only reason i used that location is because the tutorial i was using instructed me to. and there just happened to be a cert7.db file at that location. from now on, i will use the cert8.db file in my "mozilla 1.4 for sun java desktop system (solaris operating system edition)" profile. also, running "truss ldapsearch..." spewed out a lot of gibberish that i don't have time to decipher at the moment. thanks for the suggestion anyway, mr. megginson. thanks in advance to anybody else in the ng who can also fill me in on anything that might be helpful. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: where does certutil put a cert's private keys?
fat.fuck wrote: > first off: i am but a humble java programmer by trade; not a sysadmin; > nor a network guy. so a lot of nss tool-related stuff is a foreign > language to me. please, help a certutil rookie make sense of the > world? Welcome. > using openssl, i created a self-signed ca cert (and keys) plus an ldap > server cert (and keys) and a client cert (and keys); the client and > server certs are both signed by my self-signed ca cert. certs and keys > for all three (ca, server, client) are in pem format. > > i successfully installed the server and ca certs into the directory > server; i then added the ca and client certs into $HOME/.netscape/ > cert7.db using the following certutil command line: > > certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) > > after running that command, i was able to successfully view the just- > added cert with: "certutil -L -n myClientCert -d $HOME/.netscape > > that leads me to my first question: > >1. does that command implicitly add the cert's private key get into > $HOME/.netscape/key3.db? No. That command only told certutil to import a cert, and only gave certutil the name of the PEM file with the certificate. >2. if not, how do i add the cert's private key to key3.db? NSS does not deal with private keys in PEM files. It only deals with private keys in PKCS#12 files. You can get the OpenSSL utility program to combine the PEM files for the cert and its private key into a single PKCS#12 file, and then import that PKCS#12 file into NSS's databases using NSS's utility program named pk12util. That's the only supported way to import private keys from files into NSS. > the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ > tools/certutil.html) say, > > "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..." > > i've read and reread that page over and over; but i still can't figure > out which command to use to make certutil "display the contents of the > key database". certutil defines LOTS of single character command line options. Most of the ones with capital letters (e.g. -A, -L, -K) specify a function that certutil must perform. The lower case letters all supply other information needed for that function. Some useful function options are: -A -n X add a cert to the cert database and give it nickname X -L list the nicknames of the certs in the database -L -n X pretty print the details for the cert nicknamed X -L -n X -r output the cert nicknamed X in binary -L -n X -a output the cert nicknamed X in PEM format -K list the private keys by nickname or public key value. > if it's any help, i'm using the binary version of certutil that came > precompiled as part of the sun one directory server resource kit 5.2 > (dsrk52) on solaris 9 sparc.for what it's worth: That's pretty ancient now. I suggest you try NSS 3.11.x or 3.12.x > as far as wanting to view keys, i'm guessing it's actually the > pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > tools/pk12util.html) instead of certutil. is that right? pk12util is a tool to deal with PKCS#12 files. PKCS#12 files contain private keys and certs, and are used to transport a private key and its related certs from one system or set of software to another. PKCS#12 is the one file format that is universally supported for this purpose by all the major crypto software packages (including, but not limited to: NSS, OpenSSL, and MS Windows). > the pk12util docs say, "Import a certificate and private key from from > the p12file into the database." the way i read that description, it > implies that both the private key and cert get imported into the same > database ("into __the__ database"). am i understanding that correctly? The doc is missing a letter. Should be databaseS. >3. what exactly _does_ get added to key3.db? keys. Private keys, and occasionally symmetric secret keys. >4. how can i view what's in key3.db? Well, you can't see the actual private key values, but they wouldn't do you much good even if you could. You can see information that helps you figure out which certificate(s) they go with using the command certutil -K > if you're interested, the reason for my questions stem from the > following ldapsearch error: > > bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > "**" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.) I can't help you with ldapsearch, but I can help you with that error message. That error message is very misleading. The error code -817
Re: where does certutil put a cert's private keys?
On Dec 3, 1:21 am, "fat.fuck" <[EMAIL PROTECTED]> wrote: > On 3 Dec, 00:29, Eddy Nigg <[EMAIL PROTECTED]> wrote: > > > > > On 12/03/2008 02:20 AM, fat.fuck: > > > > i didn't explicitlly supply the certs' private key file location to > > > the certutil command line when i added the certs to cert7.db > > > (although, the private key .pem files were in fact in the same > > > directory as the .pem cert files when i ran the certutil command). > > > This most likely means that there is no private key stored, just the > > public key/certificate. You'd need to provide a PKCS12 file instead > > which includes the private key. > > > -- > > Regards > > > Signer: Eddy Nigg, StartCom Ltd. > > Jabber: [EMAIL PROTECTED] > > Blog: https://blog.startcom.org > > thanks for your reply mr. nigg, > > > This most likely means that there is no private key stored, just the > > public key/certificate. You'd need to provide a PKCS12 file instead > > which includes the private key. > > that makes sense. thanks, mr nigg. now, please, can you tell me how i > can view|list the private keys in key3.db once i've ran certutil with > a pkcs12 file? > > > "The Certificate Database Tool is a command-line utility that > > can...display the contents of the key database..." > > what is the certutil command that the above statement from the > certutil docs is referring to? > > mr. megginson, i can't work out what version of nss/certutil came > bundled with the dsrk v 5.2 (is there a command i can run that would > tell me?). all i know is i downloaded the dsrk 5.2 binaries from sun > and installed it on my sun box on nov 25, 2006. so its safe to assume > i'm using whichever release of nss that was current on that date; i > guess. > > i do know that the $HOME/.netscape on my sun box is from netscape > communicator 4.76. again, the only reason i used that location is > because the tutorial i was using instructed me to. and there just > happened to be a cert7.db file at that location. from now on, i will > use the cert8.db file in my "mozilla 1.4 for sun java desktop system > (solaris operating system edition)" profile. > > also, running "truss ldapsearch..." spewed out a lot of gibberish that > i don't have time to decipher at the moment. thanks for the suggestion > anyway, mr. megginson. > > thanks in advance to anybody else in the ng who can also fill me in on > anything that might be helpful. i remembered what documentation instructed me to use $HOME/.netscape/ cert7.db. it was sun's "Sun ONE Server Console 5.2 Server Management Guide". the chapter on "Using SSL and TLS with Sun ONE Servers": http://docs.sun.com/source/816-6704-10/ssl.html#22531 "Copy the Netscape Communicator certificate database files, cert7.db and key3.db, that contain your certificates to your .mcc directory. ... On UNIX systems, the cert7.db and key3.db files are located in your home directory, /$HOME/.netscape. $HOME is your root directory if you are running Administration Server as root. $HOME is your user home directory if you are running Administration Server as a user, for example, /home/username or /export/home/username. ..." i know it's neither here nor there. but i was going crazy trying to remember myself why i used cert7.db. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: where does certutil put a cert's private keys?
ff wrote: > i remembered what documentation instructed me to use $HOME/.netscape/ > cert7.db. it was sun's "Sun ONE Server Console 5.2 Server Management > Guide". the chapter on "Using SSL and TLS with Sun ONE Servers": > > http://docs.sun.com/source/816-6704-10/ssl.html#22531 > > "Copy the Netscape Communicator certificate database files, cert7.db > and key3.db, that contain your certificates to your .mcc directory. > ... > On UNIX systems, the cert7.db and key3.db files are located in your > home directory, /$HOME/.netscape. $HOME is your root directory if you > are running Administration Server as root. $HOME is your user home > directory if you are running Administration Server as a user, for > example, /home/username or /export/home/username. > ..." > > i know it's neither here nor there. but i was going crazy trying to > remember myself why i used cert7.db. That document is 5 years old, and was written to describe a version of the software that was released at that time. It was accurate when it was written, and probably is still accurate for that software version. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto